topic Re: ISE 3.3 system certificate update in Network Access Control https://community.cisco.com/t5/network-access-control/ise-3-3-system-certificate-update/m-p/5312944#M597439 <P><a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/1069406">@MonkeyBear007</a>&nbsp;did you look at the ciscolive presentation and under the scenario of using wildcard or multiSAN certificate?</P> Wed, 23 Jul 2025 14:56:27 GMT Rob Ingram 2025-07-23T14:56:27Z ISE 3.3 system certificate update https://community.cisco.com/t5/network-access-control/ise-3-3-system-certificate-update/m-p/5312911#M597435 <P>ISE 3.3 system certificate update</P><P>We use public cert and what is recommended way to renewal cert has they are part of the deployment pri and secondary&nbsp;<BR />they are not part of the PAN failover<BR /><BR />does it matter if i gave it two of the common name of both ISE servers and upload to each ISE?<BR />best practice to make it for each ISE server?</P> Wed, 23 Jul 2025 13:57:08 GMT https://community.cisco.com/t5/network-access-control/ise-3-3-system-certificate-update/m-p/5312911#M597435 MonkeyBear007 2025-07-23T13:57:08Z Re: ISE 3.3 system certificate update https://community.cisco.com/t5/network-access-control/ise-3-3-system-certificate-update/m-p/5312914#M597436 <P><a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/1069406">@MonkeyBear007</a>&nbsp;what certificate usage do you refer to admin, eap, portal etc?</P> <P>It's common to use the same certificate (wildcard or multi SAN) certificate on the ISE nodes for EAP and Portal usage.</P> <P><A href="https://community.cisco.com/t5/security-knowledge-base/how-to-implement-digital-certificates-in-ise/ta-p/3630897" target="_blank" rel="noopener">https://community.cisco.com/t5/security-knowledge-base/how-to-implement-digital-certificates-in-ise/ta-p/3630897</A></P> <P><SPAN>Have a look at pages 31-37</SPAN>&nbsp;<A href="https://www.ciscolive.com/c/dam/r/ciscolive/emea/docs/2024/pdf/BRKSEC-2234.pdf" target="_blank">https://www.ciscolive.com/c/dam/r/ciscolive/emea/docs/2024/pdf/BRKSEC-2234.pdf</A></P> <P>&nbsp;</P> <P>&nbsp;</P> Wed, 23 Jul 2025 14:04:16 GMT https://community.cisco.com/t5/network-access-control/ise-3-3-system-certificate-update/m-p/5312914#M597436 Rob Ingram 2025-07-23T14:04:16Z Re: ISE 3.3 system certificate update https://community.cisco.com/t5/network-access-control/ise-3-3-system-certificate-update/m-p/5312936#M597437 <P>We use it for Admin, EAP authentication and portal&nbsp;&nbsp;<BR />I was thinking for ISE1 ISE1.domain.com for common for ISE1<BR />subject alternative name: ISE1, ISE2, IP address&nbsp; and DSN server name and etc..<BR />for ISE2 ISE2.domain.com for common for ISE2<BR />subject name ISE1 and ISE2 and etc<BR />subject alternative name: ISE1, ISE2, IP address&nbsp; and DSN server name and etc..</P><P>&nbsp;</P> Wed, 23 Jul 2025 14:50:42 GMT https://community.cisco.com/t5/network-access-control/ise-3-3-system-certificate-update/m-p/5312936#M597437 MonkeyBear007 2025-07-23T14:50:42Z Re: ISE 3.3 system certificate update https://community.cisco.com/t5/network-access-control/ise-3-3-system-certificate-update/m-p/5312944#M597439 <P><a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/1069406">@MonkeyBear007</a>&nbsp;did you look at the ciscolive presentation and under the scenario of using wildcard or multiSAN certificate?</P> Wed, 23 Jul 2025 14:56:27 GMT https://community.cisco.com/t5/network-access-control/ise-3-3-system-certificate-update/m-p/5312944#M597439 Rob Ingram 2025-07-23T14:56:27Z Re: ISE 3.3 system certificate update https://community.cisco.com/t5/network-access-control/ise-3-3-system-certificate-update/m-p/5313070#M597446 <P>I did training and you can have problem using wild cards.<BR />I don't security will like idea of wild card<BR />I though you can use intune to force to trust a cert</P> Wed, 23 Jul 2025 17:50:36 GMT https://community.cisco.com/t5/network-access-control/ise-3-3-system-certificate-update/m-p/5313070#M597446 MonkeyBear007 2025-07-23T17:50:36Z Re: ISE 3.3 system certificate update https://community.cisco.com/t5/network-access-control/ise-3-3-system-certificate-update/m-p/5313073#M597447 <P><a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/1069406">@MonkeyBear007</a>&nbsp;read the official cisco live presentation above, it explains a scenario where you may wish to use the same certificate (a wildcard or multi-SAN) on all of the PSNs if a client is authenticated by different PSN. The issue I refer to is specific to apple devices though, if it is not applicable to your environment then deploy individual certificates to each node.</P> Wed, 23 Jul 2025 17:59:39 GMT https://community.cisco.com/t5/network-access-control/ise-3-3-system-certificate-update/m-p/5313073#M597447 Rob Ingram 2025-07-23T17:59:39Z Re: ISE 3.3 system certificate update https://community.cisco.com/t5/network-access-control/ise-3-3-system-certificate-update/m-p/5314083#M597470 <P>Hello,<BR />For ISE 3.3 public certificate renewal on a primary and secondary deployment, it is best practice to generate a separate Certificate Signing Request (CSR) for each ISE node. While you can include both ISE server common names as Subject Alternative Names (SANs) in a single certificate and upload it to both, creating individual certificates for each ISE server, each with its own FQDN as the Common Name (CN) and also including the other node's FQDN as a SAN (if desired for specific services), is generally recommended. This approach simplifies management, clearly identifies each node, and aligns with the principle of least privilege for certificates. Remember that changing the Admin certificate will require a service restart, but ISE 3.3 offers a "Scheduled Restart" feature to minimize disruption. Always back up your existing certificates and keys before performing renewals.</P> Fri, 25 Jul 2025 11:51:56 GMT https://community.cisco.com/t5/network-access-control/ise-3-3-system-certificate-update/m-p/5314083#M597470 alison23taylor 2025-07-25T11:51:56Z Re: ISE 3.3 system certificate update https://community.cisco.com/t5/network-access-control/ise-3-3-system-certificate-update/m-p/5314185#M597471 <P>thank you</P> Fri, 25 Jul 2025 15:48:48 GMT https://community.cisco.com/t5/network-access-control/ise-3-3-system-certificate-update/m-p/5314185#M597471 MonkeyBear007 2025-07-25T15:48:48Z Re: ISE 3.3 system certificate update https://community.cisco.com/t5/network-access-control/ise-3-3-system-certificate-update/m-p/5314870#M597502 <P>is it recommended to do the primary first than do secondary for the ISE cert?</P> Mon, 28 Jul 2025 15:13:37 GMT https://community.cisco.com/t5/network-access-control/ise-3-3-system-certificate-update/m-p/5314870#M597502 MonkeyBear007 2025-07-28T15:13:37Z